PAOGA - Privacy & Trust in the Digital Age

March 03, 2010

A very interesting report in this weeks Economist: Data, data everywhere.You can order the full 14 page report by email at rights@economist.com but here are a few extracts pertaining to our particular focus on Personal Information Management Services (PIMS).

"This [data management and analytics] industry is estimated to be worth more than $100 billion and growing at almost 10% a year, roughly twice as fast as the software business as a whole."

"The reticence [to reveal valuable trade secrets regarding data collection] partly reflects fears about consumer unease and unwelcome attention from regulators. But this is short-sighted, for two reasons. First, politicians and the public are already anxious. . . Second, if users knew how the data was used, they would probably be more impressed than alarmed."

The report proposes that existing privacy rules presume paper records and new global rules and policies are required for the interconnected online world. These need to cover six broad areas: privacy, security, retention, processing, ownership and the integrity of information.

Privacy

"The tension between individuals' interest in protecting their privacy and companies' interest in exploiting personal information could be resolved by giving people more control. They could be given the right to see and correct the information that an organisation holds, and to be told how it was used and with whom it was shared.Today's privacy rules aspire to this, but fall short because of technical difficulties which the industry likes to exaggerate. Better technology should eliminate such problems. Besides, firms are already spending a great deal on collecting, sharing and processing the data; they could divert a sliver of that money to provide greater individual control."

The PAOGA proposition, providing an individual with their own secure digital safe deposit box, means that the individual can impose these rules as a condition of sharing their personal information with a company with whom they want to have a relationship. This shift of control not only provides the individual with the peace of mind they require but reduces the companies' costs and regulatory risks, and improves their data accuracy and customer reputation.

Security

I understand that only 10% of even sensitive financial data is stored, shared and transmitted in encrypted form. Most data, even huge government data silos, rely on password protection and we are continually informed by the media how much of this data goes astray on lost CDs, memory sticks and laptops. Organisations, public and private, must stop copying data and move to controlled access, including the individual subject, providing both with an audit trail of who, when and why the data was accessed.PAOGA provides the individual with such an audit trail including when data changes are made. All of the individuals information and documents are encrypted when stored, shared and transmitted with the 'keys' held by an independent Trusted Third Party only accessible with the permission of the individual.

Retention

"Current rules on digital records state that data should never be stored for longer than necessary because they might be misused or inadvertently released."

Given that data about a middle aged UK citizen is stored, on average, on 1,000 data silos around the world, most of which are without the knowledge let alone permission of the individual, then such rules are clearly unenforceable. Individual management of their own data allows them not only to ensure that such data is accurate and up to date, but that access to relevant data can be granted and terminated at the users behest.

Processing

"Privacy rules lean towards treating personal information as a property right. A reasonable presumption might be that the trail of data that an individual leaves behind and that can be traced to him, from clicks on search engines to book-buying preferences, belong to that individual, not the entity that collected it."

A 'condition' that an individual may demand of a potential supplier could be that, in exchange for providing access to accurate personal information, they want the company to reciprocate by providing a synchronised copy of their activity records. This would also allow the individual to aggregate such information from multiple suppliers and use data analytics tools to review their own behaviour.

Ownership

It is my understanding that Personal Information, according to the European Human Rights Directive, is owned by the subject. That does not mean that an organisation, public or private, does not have legal obligations to keep records and appropriate information but I strongly object to them sharing or selling my personal information without my knowledge or permission and with no benefit to me. For example, I am not happy that the NHS propose to share or sell my records to other organisations without my knowledge but I would be willing to share my anonymised medical records with certain pharmaceutical companies or medical research organisations for a fee which I would like paid to a particular charity. My control, my consent, my benefit.

Integrity

The integrity and accuracy of information is crucial to both the individual and the organisation.Data cleansing and management is a considerable cost and ongoing task for organisations and is never complete. Data about an individual, however it has been acquired, can be out of date or simply mistyped during data entry. In most cases this is inconvenient but when organisations are increasingly making decisions about you based upon these data stores, errors could result in financial, employment, medical and legal loss and confusion with dramatic implications for the individual. The right of the individual to 'see and correct' seems an obvious mutual benefit.Data provided by an individual, such as asserting an educational qualification, can be 'certified' by an accredited Trusted Third Party, such as UCAS or the University, with a trackback for the enquirer.

There is no 'one size fits all' solution as we embrace this digital world and not everyone will be bothered to take control and responsibility for managing their personal information. However there is a substantial and growing number of citizens, consumers, students, employees, patients who are, to quote the report, 'anxious' - PAOGA provides them with the tools and services for a better way, an alternative, a choice.It is early days and we have much to do but the more people that use the service - the greater the benefits for both the individual and suppliers.

January 28, 2010

Just in case any organisations, big or small - public or private, still think that they can be cavalier about individual's Personal Information, these few extracts may convince you that you need to embrace the 'user-driven' principles of VRM immediately.

Monetary penalties of up to £500,000 could be levied on businesses and other
organisations that breach the Data Protection Act. The new powers granted to the
ICO are expected to come into force on 6 April 2010.

Christopher Graham has called for custodial sentences as a deterrent to stop the
trade in unlawful personal information. The Information Commissioner said the
'existing paltry fines for Section 55 offences' were not enough to stop people
from engaging in such lucrative criminal activity. He added: "The threat of
jail, not fines, will prove a stronger deterrent."

The ICO will have the power to audit government departments without their
consent from April 2010. The move follows the passage of the Coroners and
Justice Act on 12 November 2009.

Failing to pay a £35 fee has led two recruitment firms to incur fines and costs
of more than £2,500. An accountancy firm from Newcastle-under-Lyme was also prosecuted and had to pay
a fine and costs of more than £1,700.

Over 100 data breaches were reported to the Information Commissioner's Office
in the final quarter of 2009. That brings the total number to 818 data breaches
since November 2006. Key concerns are the extent to which portable media containing unencrypted
personal information are still being lost or stolen and the number of data
breaches in the NHS. From April those who continue to be reckless or negligent
about the encryption of portable media will run the risk of financial penalties.
Concerns about the NHS have been raised with the Dept of Health.

A new plain-English guide to data protection has been produced by the ICO.
The guide uses practical business-based examples to help businesses and
organisations to safeguard personal data and comply with the law. Information Commissioner Christopher Graham added: "There are still too many
organisations playing fast and loose with personal data. Security breaches,
inaccurate records and instances of data being held for too long are too common.
This new guide will help organisations comply with the law and demystify data
protection." To view the guide on the website go to: http://www.ico.gov.uk/for_organisations/data_protection_guide.aspx

Don't hesitate to contact me to evaluate how it can reduce costs and facilitate compliance.

January 26, 2010

MyCustomer.com publishes the second half of Doc Searls predictions and emerging forms of VRM but I couldn't resist adding a few to his list.

As along
termadvocateof VRM
(or SRM as I used to call it back in the last century)I fully agreewith Doc and the ProjectVRM core
principle of ‘user-driven’. However we atPAOGAprefer ‘user’ to ‘customer’ in this
context as we provide secure VRM tools and services extending beyond the
‘Vendor Relationship’ to enhance individuals participation in their
relationships as a citizen, patient, employee, client, student, et al. Let’s
call it XRM.

Whilst
Doc provides a number of examples whereby VRM can provide significant mutual
benefits to both buyer and seller, I think there are a few more worthy of
mention.

Trust matters.If you have any doubts about the significance oftrust in relationships, or the murky depths to
which it has sunk in recent times, then I would refer you to the book by
Anthony Seldon –Trust*
How we lost it and how to get it back(ISBN 978-1-84954-001-8). He quotes
Henry Stimson (1867-1950), theUSstatesman as saying“The only way
to make a man trustworthy is to trust him”. All relationships, whatever
role we are playing, are enhanced by the appropriate level of trust and the
principles of VRM, providing the reciprocal to CRM in our digital world,
provides the necessary ‘two-way process’.

Because I’m worth it.No matter how high up the economic pyramid an
organisation sits it is supported at the base by us as individuals. It is us
who, through lack of trust, can bring down a government, cause a run on a bank,
or desert a brand. As such it is simply good business to respect and trust your
customer, employee, student, patient – and that includes protecting their
personal information and relationship data. Trading in personal information
without the owners’ permission is both illegal and unethical resulting in SPAM
making up over 80% of internet traffic. The internet is too valuable and
important to us all to abuse it this way and X-RM can fix this by providing the
tools for individuals to manage and take responsibility for their personal
information, wants and needs.

Is VRM Green?It could play a significant role as we, as individuals, become less
wasteful and more conscious of the financial and environmental costs of
unnecessary transportation. But that issue is for anotherblog.

January 14, 2010

"The Information Commissioner’s Office (ICO) will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act," said an ICO statement. "The ICO has produced statutory guidance about how it proposes to use this new power, which has been approved by the Secretary of State for Justice, and has been laid before Parliament today."

This would not be necessary if organisations, public and private, recognised the mutual benefits (cost reduction, data accuracy, enhanced relationship) of engaging with their customers by embracing the principles of Vendor Relationship Management (VRM).

December 01, 2009

Good day Wednesday at the Business Cloud Summit with, as Martin Banks and I agreed, a real buzz in the air which has been absent for some time. Stuart Lauchlan of Sift Media kept the event moving and the presenters on message. As usual, he asked the difficult questions that we were all thinking.

Cloud in the Public SectorAdam Afriyie MP, Shadow Minister for Science and Innovation, stated his objectives as: Cut costs, No huge IT projects (lots of little clouds rather than one big G-Cloud), and Empower people (providing individuals with more control over their personal information). PAOGA can deliver all his requirements!

The CIO and the Cloud - Threat or OpportunityI have never understood the semantic argument and confusion about the role of the CIO in an organisation. It seems to me that, in this information age, they should have the role of the Publisher in the publishing sector - i.e. they are legally responsible for the accuracy of ALL of the content created, acquired, stored and published by the organisation - it's where the buck stops! The CTO is responsible for ensuring that the hardware, software and services meet the organisations requirements. Am I missing something?

Critical Foundations for Cloud Computing: Platforms and InfrastructureIn an earlier session Anthony Lye, SVP Oracle CRM, stated that "Customers no longer Trust Vendors". Does this ring any bells??? This breakdown of Trust is not limited to vendors.There had been numerous references during the day to Private Clouds, Public Clouds and the G-Cloud with 'security of our data' being the spurious excuse for delay. I thought that this was an opportune time to remind them of the importance of the Personal Cloud in which I, as an individual using VRM tools and services like PAOGA, can keep control over and responsibility for my Personal Information and take care of my security to a level appropriate to me.What organisations (Public and Private) can do today, in Cloud or in Premise, is to issue and enforce a policy to STOP COPYING DATA!!! No more CD's, Memory Sticks or downloads to Laptops!

October 05, 2009

Are you happy to read that Tesco track the shopping habits of 16 million families across Britain? That's one in two households providing 6 million transactions a day revealing such information as whether they have a baby, a pet or can't cook. Would you like a copy of the data they 'harvest' from your Clubcard transactions?

Your data is sold to companies such as Coca-Cola, Nestle and Unilever? Did you agree to that? Do you receive any of that fee?

And who do they sell it on to? Does it surprise you that the personal information of the average UK adult ends up being stored in over 1,000 data silos around the world? Is it any wonder that your data ends up in the wrong hands who, at best, can bombard you with spam and junk mail or, at worst, impersonate you causing financial and reputational loss?

If you would like to believe that 'the customer is king' then you need to take back control and responsibility for your personal information. Your Personal Information, secure 'under your control, with your consent, for your benefit'.

His views resonate with previous articles published by MyCustomer.com in July 2004, April 2005 and July 2006. Earlier this year I blogged The Credibility Gap referring to an article in Business Week about the benefits to organisations of embracing this development.

I also believe that the 'trust' in the 'global village' concept has been shaken by the effect of the collapse of the global economy and detect a huge surge of interest in downsizing back to supporting the local community. The benefits to both the individual and the extremely important SME's (Small and Medium Enterprises - under 50 employees) are significant given that SME's generate 80% of UK GDP, 80% of their customers live within 30 miles and 80% of the population live within 30 miles of their place of birth.

The VRM tools and services provided by PAOGA can support this initiative by working with all local suppliers and services (Local Authority, NHS Trust, Transport, Banks, Education, Clubs, Shops, Manufacturers, Service Providers etc.) to provide an homogenised service to their community generating a healthy local economy. The proposed decentralisation of authority and responsibility from central government to local authorities would be a welcome move improving the accountability of all concerned.

September 29, 2009

There is an emphasis in the marketing literature on data-mining as a facilitator of customer-centricity and competitive advantage. It is tempting to assume that benefits flow automatically to both buyers and sellers from ICT solutions (indeed the term ‘solution’ is axiomatic). This study examined the concepts of trust and trustworthiness in the e-commerce environment in relation to vendors known / not known to consumers and finds serious concern amongst consumers about the security, privacy and confidentiality of their personal data.

This study contributes to understanding consumer concerns about data protection in the online domain by:

• Exposing a high level of consumer concern over the requirement to provide personal details when shopping online;

• Indicating a need for immediate action to improve the security of customers’ personal data, and to provide assurance of the same;

• Revealing the importance of providing an ‘opt-out’ facility;

• Exposing the extent to which consumers need reassurance about data security, whether or not they have experience of the vendor offline;

• Enhancing understanding of the key role of website design and process functionality in perceived trustworthiness of vendors;

• Indicating that there is a high level of interest in the concept of a ‘digital security box’ motivated by a desire to eliminate unauthorised access to personal data.

Our findings suggest several managerial implications. We find that consumers are extremely concerned about the security, privacy and confidentiality of their personal data, whilst the literature (and media coverage) suggests that companies are failing to respond appropriately. Vendors need to take consumer concerns much more seriously and respond more proactively, for example, by encrypting data as a matter of course, storing data in one place, encrypted, protected by digital keys and with strict policies regarding replication. For consumers, ‘opt out’ should be the default unless they specifically, actively opt in to their data being shared or sold in return for some reward. All non-essential data should be deleted automatically, and personal data should be stored strictly according to data protection legislation. Data security can be a valuable source of differentiation, yet online vendors do not yet appear to be fully cognizant of its importance. We call for companies to take data protection much more seriously. We call also for the government to be more proactive in ensuring that consumer data is protected by strengthening data protection regulation and improving monitoring and audit activities.

This research has several limitations that point to future research directions. While our study focuses primarily on measuring trust and trustworthiness, future research could also measure consumers’ risk averseness and perceived self-efficacy in using ICT as both potentially could be intervening variables. Also, future research might explore the difference in the effect of trust between online stores that sell high and low-end products and different types of e-tailers such as pure play e-commerce sites, ‘bricks and clicks’, discounters, aggregators, mall-based stores and so on. We predict that the protection of consumer data will become an increasingly high profile issue that Web 2.0 applications proliferate and it behoves vendors to respond appropriately. We see a pressing need for more academic research in this field to provide empirical evidence to inform and support vendor responses. Despite the limitations of our study, we see it as an important addition to the marketing literature on trust in the e-commerce domain. As intimated, trust is a cornerstone of e-commerce activity; without it there would be no online transaction. Vendors need to remember that once broken, trust cannot be easily repaired; to misquote Abraham Lincoln, ‘If you once forfeit the confidence of your customers, you can never regain their respect and esteem’.

Extracted from Safe In Their Hands 2009 Research Paper from University of Surrey / PAOGAI have emboldened what I believe are key points.

September 18, 2009

Introduction to the 40 page results of the academic research carried out in 2009 which is under review by an academic journal.

E-commerce continues to expand, but there is evidence of increasing unease amongst consumers over vendor commitment to data protection. This paper investigates consumer concerns about data security in the e-commerce domain and identifies the antecedents of i) perceived trustworthiness of unknown vendors and ii) trust in known vendors. The findings of our web-based survey reveal a high level of concern over data security and confidentiality and a lack of conviction that vendors are doing all they can to protect personal data. Website and process design along with explicit assurances that data will be protected are identified as antecedents of perceived trustworthiness of unknown vendors, whilst assurances and the ability to opt out of data being sold or shared influence trust once the vendor is known. We find that consumers would like to manage their own data, suggesting the prospect of first-mover advantages for companies adopting VRM (vendor relationship management) strategies.

AUTHORS:

Dr Ailsa Kolsaker is a Lecturer in Marketing and eBusiness in the postgraduate Management School, University of Surrey. Her interests lie in the application of new technologies to marketing. A Member of the Chartered Institute of Marketing and the Academy of Marketing’s e-Marketing Special Interest Group, she is currently leading research into consumer responses to mobile marketing and consumer concerns about data protection in the online world. She is also involved in researching the prospects for leveraging Web 2.0 to promote user-generated and co-created content.

Graham Sadd is Founder and CEO of PAOGA Ltd. which provides Personal Information Management Services (PIMS). Previously he was Founder and CEO of Infobank Plc (rebranded Izodia Plc) developing a B2B e-procurement enterprise solution. He has also founded and managed a number of businesses in the communications and publishing industries spanning graphic design, advertising, marketing, international book publishing, early electronic publishing, software development and international software publishing. Throughout his working life Graham has worked to exploit technology to automate repetitive tasks on the principle that People Are Our Greatest Asset.